Sign in to follow this  
Followers 0
mtrank

Anyone having issues with Symantec Endpoint Protection 12?

5 posts in this topic

Hi All.

Is anyone having issues with the latest v.3.3.8.1 autoit scripts and Symantec Endpoint Protection 12?

I am doing several development and scripting projects for a large enterprise and beginning around November 7th, 2012, we started noticing strange issues with our autoit scripts that use the latest AutoIt 3.3.8.1. The issues are seemingly random (scripts hang, cannot install them on to PCs, etc.).

We ultimately traced it to Symantec Endpoint Protection v12 blocking our scripts (confirmed by removing SEP off of many PCs). Apparently, the SONAR portion of SEP12 would flag our script executables as "Suspicious.Cloud.2" type virus. SONAR is the heuristics or suspicious activity detection engine. I've been told this engine works similar to anti-spam in that the target item gets a "score" based on its analysis, if that "score" is above some kind of threshold, will block it as a possible virus.

We tested older (pre-v.3.3.8.1) compiled autoit scripts and it does not affect them. Only the latest v.3.3.8.1 compiled scripts.

Again, it does not happen every time. The autoit scripts may work fine one day on a PC, then all of a sudden it won't. And the statistical frequency of this has changed as new symantec definitions have been rolled out. But still, sometimes it blocks the scripts, sometimes it does not.

Has ANYONE else experienced these or similar issues?

Thank you.

-Mike

Share this post


Link to post
Share on other sites



Are you using UPX compression on the scripts in question? That sometimes will trigger shitty AV software like SEP to flag it.


If I posted any code, assume that code was written using the latest release version unless stated otherwise. Also, if it doesn't work on XP I can't help with that because I don't have access to XP, and I'm not going to.
Give a programmer the correct code and he can do his work for a day. Teach a programmer to debug and he can do his work for a lifetime - by Chirag Gude
How to ask questions the smart way!

I hereby grant any person the right to use any code I post, that I am the original author of, on the autoitscript.com forums, unless I've specifically stated otherwise in the code or the thread post. If you do use my code all I ask, as a courtesy, is to make note of where you got it from.

Back up and restore Windows user files _Array.au3 - Modified array functions that include support for 2D arrays.  -  ColorChooser - An add-on for SciTE that pops up a color dialog so you can select and paste a color code into a script.  -  Customizable Splashscreen GUI w/Progress Bar - Create a custom "splash screen" GUI with a progress bar and custom label.  -  _FileGetProperty - Retrieve the properties of a file  -  SciTE Toolbar - A toolbar demo for use with the SciTE editor  -  GUIRegisterMsg demo - Demo script to show how to use the Windows messages to interact with controls and your GUI.  -   Latin Square password generator

Share this post


Link to post
Share on other sites

I tried that on an individual basis early on but not en masse. It still had the issue.

There are many autoit scripts that run daily on a large number of machines and have been working fine for many years.

It is ONLY the recent combination of the SEP 12 client and certain autoit 3.3.8.1 compiled scripts. We initially saw this on Win7 64bit PCs but are now seeing it on XP machines with SEP 12 as well.

The SEP client version speaking of is 12.1.2015.2015.

Again, the issues are seemingly random. One way we saw the issue is on win7 64bit machines, if you simply right-click an autoit .EXE file, it would either hang windows explorer or take many seconds until the context menu popped up.

Again, is anyone experiencing any issues with SEP 12 and autoit 3.3.8.1. compiled scripts?

Is there anyone using this combination at all?

Thank you very much.

-Mike

Share this post


Link to post
Share on other sites

You've already verified that it's not AutoIt. You'll have to yell at Symantec. Good luck with that.


Lofting the cyberwinds on teknoleather wings, I am...The Blue Drache

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!


Register a new account

Sign in

Already have an account? Sign in here.


Sign In Now
Sign in to follow this  
Followers 0